|
| 1 | +#!/bin/sh |
| 2 | +# |
| 3 | +# SELinux environment checks to ensure configuration of the operating system |
| 4 | +# satisfies prerequisites to run regression test. |
| 5 | +# If incorrect settings are found, this script suggest user a hint. |
| 6 | +# |
| 7 | +PG_BINDIR="$1" |
| 8 | +PG_DATADIR="$2" |
| 9 | + |
| 10 | +echo |
| 11 | +echo "============== checking selinux environment ==============" |
| 12 | + |
| 13 | +# |
| 14 | +# Test.1 - must be launched at unconfined_t domain |
| 15 | +# |
| 16 | +echo -n "test unconfined_t domain ... " |
| 17 | + |
| 18 | +DOMAIN=`id -Z 2>/dev/null | sed 's/:/ /g' | awk '{print $3}'` |
| 19 | +if [ "${DOMAIN}" != "unconfined_t" ]; then |
| 20 | + echo "failed" |
| 21 | + echo |
| 22 | + echo "This regression test needs to be launched on unconfined_t domain." |
| 23 | + echo |
| 24 | + echo "The unconfined_t domain is mostly default domain of users' shell" |
| 25 | + echo "process. So, we suggest you to revert your special configuration" |
| 26 | + echo "on your system, as follows:" |
| 27 | + echo |
| 28 | + echo " \$ su -" |
| 29 | + echo " # semanage login -d `whoami`" |
| 30 | + echo |
| 31 | + echo "Or, add a setting to login as unconfined_t domain" |
| 32 | + echo |
| 33 | + echo " \$ su -" |
| 34 | + echo " # semanage login -a -s unconfined_u -r s0-s0:c0.c255 `whoami`" |
| 35 | + echo |
| 36 | + exit 1 |
| 37 | +fi |
| 38 | +echo "ok" |
| 39 | + |
| 40 | +# |
| 41 | +# Test.2 - 'runcon' must exist and be executable |
| 42 | +# |
| 43 | +echo -n "test runon command ... " |
| 44 | + |
| 45 | +CMD_RUNCON="`which runcon 2>/dev/null`" |
| 46 | +if [ ! -x "${CMD_RUNCON}" ]; then |
| 47 | + echo "failed" |
| 48 | + echo |
| 49 | + echo "The runcon must exist and be executable; it is internally used to" |
| 50 | + echo "launch psql command with a particular domain. It is mostly included" |
| 51 | + echo "within coreutils package. So, our suggestion is to install the latest" |
| 52 | + echo "version of this package." |
| 53 | + echo |
| 54 | + exit 1 |
| 55 | +fi |
| 56 | +echo "ok" |
| 57 | + |
| 58 | +# |
| 59 | +# Test.3 - 'sestatus' must exist and be executable |
| 60 | +# |
| 61 | +echo -n "test sestatus command ... " |
| 62 | + |
| 63 | +CMD_SESTATUS="`which sestatus 2>/dev/null`" |
| 64 | +if [ ! -x "${CMD_SESTATUS}" ]; then |
| 65 | + echo "failed" |
| 66 | + echo |
| 67 | + echo "The sestatus should exist and be executable; it is internally used to" |
| 68 | + echo "this checks; to show configuration of SELinux. It is mostly included" |
| 69 | + echo "within policycoreutils package. So, our suggestion is to install the" |
| 70 | + echo "latest version of this package." |
| 71 | + echo |
| 72 | + exit 1 |
| 73 | +fi |
| 74 | +echo "ok" |
| 75 | + |
| 76 | +# |
| 77 | +# Test.4 - 'getsebool' must exist and be executable |
| 78 | +# |
| 79 | +echo -n "test getsebool command ... " |
| 80 | + |
| 81 | +CMD_GETSEBOOL="`which getsebool`" |
| 82 | +if [ ! -x "${CMD_GETSEBOOL}" ]; then |
| 83 | + echo "failed" |
| 84 | + echo |
| 85 | + echo "The getsebool should exist and be executable; it is internally used to" |
| 86 | + echo "this checks; to show current setting of SELinux boolean variables." |
| 87 | + echo "It is mostly included within libselinux-utils package. So, our suggestion" |
| 88 | + echo "is to install the latest version of this package." |
| 89 | + echo |
| 90 | + exit 1 |
| 91 | +fi |
| 92 | +echo "ok" |
| 93 | + |
| 94 | +# |
| 95 | +# Test.5 - SELinux must be configured to enforcing mode |
| 96 | +# |
| 97 | +echo -n "test enforcing mode ... " |
| 98 | + |
| 99 | +CURRENT_MODE=`env LANG=C ${CMD_SESTATUS} | grep 'Current mode:' | awk '{print $3}'` |
| 100 | +if [ "${CURRENT_MODE}" != "enforcing" ]; then |
| 101 | + echo "failed" |
| 102 | + echo |
| 103 | + echo "SELinux must be configured to 'enforcing' mode." |
| 104 | + echo "You can switch SELinux to enforcing mode using setenforce command," |
| 105 | + echo "as follows:" |
| 106 | + echo |
| 107 | + echo " \$ su -" |
| 108 | + echo " # setenforce 1" |
| 109 | + echo |
| 110 | + echo "The system default setting is configured at /etc/selinux/config," |
| 111 | + echo "or kernel bool parameter. Please also check it, if you see this" |
| 112 | + echo "message although you didn't switch to permissive mode." |
| 113 | + echo |
| 114 | + exit 1 |
| 115 | +fi |
| 116 | +echo "ok" |
| 117 | + |
| 118 | +# |
| 119 | +# Test.6 - 'sepgsql-regtest' policy module must be loaded |
| 120 | +# |
| 121 | +echo -n "test sepgsql-regtest policy ... " |
| 122 | + |
| 123 | +SELINUX_MNT=`env LANG=C ${CMD_SESTATUS} | grep '^SELinuxfs mount:' | awk '{print $3}'` |
| 124 | +if [ ! -e ${SELINUX_MNT}/booleans/sepgsql_regression_test_mode ]; then |
| 125 | + echo "failed" |
| 126 | + echo |
| 127 | + echo "The 'sepgsql-regtest' policy module must be installed; that provide" |
| 128 | + echo "a set of special rules for this regression test." |
| 129 | + echo "You can install this module as follows:" |
| 130 | + echo |
| 131 | + echo " \$ make -f /usr/share/selinux/devel/Makefile -C contrib/selinux" |
| 132 | + echo " \$ su" |
| 133 | + echo " # semodule -i contrib/sepgsql/sepgsql-regtest.pp" |
| 134 | + echo |
| 135 | + echo "Then, you can confirm the policy package being installed, as follows:" |
| 136 | + echo |
| 137 | + echo " # semodule -l | grep sepgsql" |
| 138 | + echo |
| 139 | + exit 1 |
| 140 | +fi |
| 141 | +echo "ok" |
| 142 | + |
| 143 | +# |
| 144 | +# Test.7 - 'sepgsql_regression_test_mode' must be turned on |
| 145 | +# |
| 146 | +echo -n "test selinux boolean ... " |
| 147 | + |
| 148 | +if ! ${CMD_GETSEBOOL} sepgsql_regression_test_mode | grep -q ' on$'; then |
| 149 | + echo "failed" |
| 150 | + echo |
| 151 | + echo "The boolean variable of 'sepgsql_regression_test_mode' must be" |
| 152 | + echo "turned. It affects an internal state of SELinux policy, then" |
| 153 | + echo "a set of rules to run regression test will be activated." |
| 154 | + echo "You can turn on this variable as follows:" |
| 155 | + echo |
| 156 | + echo " \$ su -" |
| 157 | + echo " # setsebool sepgsql_regression_test_mode 1" |
| 158 | + echo |
| 159 | + echo "Also note that we recommend to turn off this variable after the" |
| 160 | + echo "regression test, because it activates unnecessary rules." |
| 161 | + echo |
| 162 | + exit 1 |
| 163 | +fi |
| 164 | +echo "ok" |
| 165 | + |
| 166 | +# |
| 167 | +# Test.8 - 'psql' command must be labeled as 'bin_t' type |
| 168 | +# |
| 169 | +echo -n "test label of psql ... " |
| 170 | + |
| 171 | +CMD_PSQL="${PG_BINDIR}/psql" |
| 172 | +LABEL_PSQL=`stat -c '%C' ${CMD_PSQL} | sed 's/:/ /g' | awk '{print $3}'` |
| 173 | +if [ "${LABEL_PSQL}" != "bin_t" ]; then |
| 174 | + echo "failed" |
| 175 | + echo |
| 176 | + echo "The ${CMD_PSQL} must be labeled as bin_t type." |
| 177 | + echo "You can assign right label using restorecon, as follows:" |
| 178 | + echo |
| 179 | + echo " \$ su - (not needed, if you owns installation directory)" |
| 180 | + echo " # restorecon -R ${PG_BINDIR}" |
| 181 | + echo |
| 182 | + echo "Or, using chcon" |
| 183 | + echo |
| 184 | + echo " # chcon -t bin_t ${CMD_PSQL}" |
| 185 | + echo |
| 186 | + exit 1 |
| 187 | +fi |
| 188 | +echo "ok" |
| 189 | + |
| 190 | +# |
| 191 | +# Test.9 - 'sepgsql' must be installed |
| 192 | +# and, not configured to permissive mode |
| 193 | +# |
| 194 | +echo -n "test sepgsql installation ... " |
| 195 | + |
| 196 | +VAL="`${CMD_PSQL} template1 -tc 'SHOW sepgsql.permissive' 2>/dev/null`" |
| 197 | +RETVAL="$?" |
| 198 | +if [ $RETVAL -eq 2 ]; then |
| 199 | + echo "failed" |
| 200 | + echo |
| 201 | + echo "The postgresql server process is not connectable." |
| 202 | + echo "Please check your installation first, rather than selinux settings." |
| 203 | + echo |
| 204 | + exit 1 |
| 205 | +elif [ $RETVAL -ne 0 ]; then |
| 206 | + echo "failed" |
| 207 | + echo |
| 208 | + echo "The sepgsql module was not loaded. So, our recommendation is to" |
| 209 | + echo "confirm 'shared_preload_libraries' setting in postgresql.conf," |
| 210 | + echo "then restart server process." |
| 211 | + echo "It must have '\$libdir/sepgsql' at least." |
| 212 | + echo |
| 213 | + exit 1 |
| 214 | +elif ! echo "$VAL" | grep -q 'off$'; then |
| 215 | + echo "failed" |
| 216 | + echo |
| 217 | + echo "The GUC variable 'sepgsql.permissive' was set to 'on', although" |
| 218 | + echo "system configuration is enforcing mode." |
| 219 | + echo "You should eliminate this setting from postgresql.conf, then" |
| 220 | + echo "restart server process." |
| 221 | + echo |
| 222 | + exit 1 |
| 223 | +fi |
| 224 | +echo "ok" |
| 225 | + |
| 226 | +# |
| 227 | +# Test.10 - 'template1' database must be labeled |
| 228 | +# |
| 229 | +echo -n "test template1 database ... " |
| 230 | + |
| 231 | +NUM=`${CMD_PSQL} template1 -tc 'SELECT count(*) FROM pg_catalog.pg_seclabel' 2>/dev/null` |
| 232 | +if [ -z "${NUM}" -o "$NUM" -eq 0 ]; then |
| 233 | + echo "failed!" |
| 234 | + echo |
| 235 | + echo "Initial labels must be assigned on the 'template1' database; that shall" |
| 236 | + echo "be copied to the database for regression test." |
| 237 | + echo "See Installation section of the PostgreSQL documentation." |
| 238 | + echo |
| 239 | + exit 1 |
| 240 | +fi |
| 241 | +echo "ok" |
| 242 | + |
| 243 | +# |
| 244 | +# check complete - |
| 245 | +# |
| 246 | +echo |
| 247 | +exit 0 |
0 commit comments